I'm not convinced by those examples of systems that need to bridge the security-critical and IVI networks; all of the stability-control-related systems (plus stability control itself) seem critical, likewise cruise control, while none of the door-lock things are. It seems to me that you would need a device that listened to the critical bus and report to the non-critical bus, so that the CD player could tell when the car is in motion. However, as far as I can tell, this device doesn't need to do able to affect the critical bus.
I'm not clear as to the intent of suggesting an IP network instead of the CAN network, in any case; IP is not at the same protocol layer. You could switch from CAN to ethernet, but you'd need a custom switch (which knows which sensors are where and what's most important) in order to avoid having the denial of service problem be at least as bad. Sure, you couldn't have the CD player tell the brakes they shouldn't engage, but you couldn't really keep the CD player from pushing 100Mb of audio data at the brakes so packets from the brake pedal don't get through. And CAN has the security advantage that you can build your CD player with a CAN PHY that is only able to use low-priority IDs. It's practically impossible for an ethernet PHY to know that it would be flooding the network.